There are quite a few cases where people are called out for disclosing the front-face of a credit or debit card (e.g. this tweet from Brian Krebs or this twitter account). So I was wondering what the impact of this disclosure for the card holder is likely to be.

From the front of a card, a fraudster could get the card PAN (16-digit number) start date/expiry date and cardholder name. Also for debit cards, the cardholders account number and sort code (that may vary by region).

So the question is, what's the likely impact of the disclosure of this information (i.e. what frauds could be committed).

Some initial thoughts I had were :-

Cardholder Not Present transactions shouldn't be possible as the CVV hasn't been disclosed

The card wouldn't be clonable with just that information as there's other information needed for the magstripe.

It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.

On most EFTPOS systems, it's possible to manually enter the card details. When a field is not present, the operator simply presses enter to skip, which is common with cards that don't carry a start date. On these systems, it is trivial to charge a card without the CVV. When I worked in retail, we would frequently do this when the chip on a card wasn't working and the CVV had rubbed off. In such cases, all that was needed was the card number and expiry date, with a signature on the receipt for verification.

But wasn't it contrary to policy and rules to accept credit card information from a customer, in person, if they did not have the credit card in their possession? As a cashier, I always knew there were cameras, even intermittently, so I would have been implicated as an accessory if I were to accept payment from a customer without a card, if the customer was physically present in the store.
–
Ellie KesselmanOct 23 '12 at 8:49

3

@FeralOink They had the card, but the chip didn't work and the CVV was rubbed off. I was simply providing an example of where I'd personally seen cards used without CVV. It's possible to set up a fraudulent merchant account and steal cash in this way. It's also possible to find stores that don't require CVV, though it's rare these days.
–
PolynomialOct 23 '12 at 9:05

@Polynomial +1. I worked in retail for 5 years and there was many a time I would manually just enter the credit card number/expiration date, but never the CVV. Some systems (like the one I worked at) don't even have a place to put the CVV in.
–
ROFLwTIMEOct 23 '12 at 12:45

In his case, Apple only required the last digits for his credit card (which his attacker obtained from Amazon) in order to give up the account. It stands to reason that other vendors may be duped if an attacker were to provide a full credit card number including expiration dates.

+1 While the financial information leak may be more or less obvious, there are far more ways to use a credit card than just buying stuff, especially when so many vendors use the last 4 digits as a backup customer ID.
–
PhilOct 23 '12 at 13:34

You would need CVV and expiration date for verification, although expiration date is on the front face of a card. Also required is the billing address, or at a minimum, the zip code of the billing address, neither of which are on the front or back of the card.

However, this depends on whether you're buying something retail, in person versus online. If you are working in retail where the card details can be manually entered, which is definitely an option unless there are policies against it, or maybe a POS machine that won't allow it (although that hasn't been my experience, as magnetic strips get demagnetized by women's magnetic purse fasteners A LOT), there would be the potential for fraud. There would be no need for billing zip code or billing address. It would require the complicity of the cashier as well as the customer though. This is why: Even though the card info can be entered manually, it is NEVER acceptable to take the information from a person who hands you a piece of paper with their card details.

On the phone, or online, you will need name, card number, expiration date, CVV (4 digit for AmEx, 3 digit for Visa/MC) and billing address (and shipping address) for a physical delivery. If you are ordering something that doesn't need to be delivered, and remember, you have now restricted your options for illegal purchases significantly, you would still need billing zip code, even though you wouldn't need address etc.

What can you buy online or on the phone, with name, card number, CVV and zip code? Well, iTunes cap's monthly purchases at $5,000 per month as a default. So you could buy a lot of iTunes music, or premium membership to expensive porn sites, or lots of cloud storage, or online games. But even if you were to do any of that, you would still need to use the services from somewhere that was associated with an IP address. I doubt that it is practical to play games via Tor, same is true for streaming porn, though I am not certain. And if you bought iTunes songs, Apple would need to know enough identifying information about you that it wouldn't be safe. You couldn't buy stuff via PayPal or Amazon, as you'd need to take physical delivery of the items, which would be incriminating, whether to you or someone else who acted for you.

And all of this would be moot without the billing zip code, which is not on the front of the card. I don't have any sources, just experience working at a casino, on a huge 500 person ship, for a year. And I purchase lots of clothes and things online. I'll look for something to cite, but it tends to be a result of widely observed electronic payment practices rather than technological impossibility.

EDIT:
See the answers to this question What is the use of stolen credit card details? The answers are based on access to mass quantities of cards, or willingness to allow someone to get in trouble for taking delivery of your purchases (the answer referred to that as "a rube"), or rather elaborate eBay card swapping schemes. It wasn't straightforward. (Many are in pursuit of credit card information, but I often wonder what most people can actually do with it, other than cause inconvenience and fear. ZeuS or SpyEye is the exception, as it appears disturbingly versatile).

It's worth mentioning that American Express credit cards do have the CVV on the front side (not the back), along with the card number, the cardholder name, and the expiration date. Therefore, disclosing the front face of an Amex card would allow arbitrary purchases, even card-not-present purchases.

All that is required to run a credit card transactions is the PAN (Primary Account Number), which is basically the 16 digits found on the front of a card. That's all that really happens when a card is swiped - the machine reads the PAN that is encoded onto the card's magnetic strip. Therefore - if someone has the front face of your card, your account is compromised.

Card Present, matching ID card/signature, CVV (security code), AVS (address verification), and others are added layers of security that a merchant might ask you for, especially in an risky environment such as online shopping. But, these are by no means required. You could get away running a transaction with just the 16 digits, though most merchants won't allow that because of the risk of fraud and charge backs.